Saturday, November 10, 2012

Setting up a ModSecurity powered Reverse Proxy

Overview

Following the series of my ModSecurity related posts, in this one, I explain how we can set up a reverse proxy that will process all the requests received by any browser and then forward them to the web applications we want to protect. This reverse proxy will be an autonomous VM that is very flexible to deploy in front of numerous web applications. For example, we can write generic ModSecurity rules and then we can copy and apply the VM to multiple places in order to process the requests. Afterwards, we can parameterize each VM according to the application that resides behind it.

My aim is to create a reverse proxy that handles more than one web application's requests.

Below, there is a schematic of the VM infrastructure that I have described earlier.

Architecture

Advantages

Unified Rules. With this architecture we have a VM that is charged with filtering every HTTP request to our web applications and therefore, we can edit the rules and parameterize it in order to filter possibly malicious requests. Core rule sets can be used in order to have a generic protection and, on the meanwhile, we can paramiterize the rules for specific fields and functions of our web applications.

Network Security. The security of our network becomes more robust and solid. The web applications are isolated, they receive only HTTP request from the reverse proxy.

Cost Free! I have used only freeware software, no money are needed for this architecture and infrastracture.

Disadvantages

Time Consuming. ModSecurity needs dedicated professionals in order to write rules and parameterize the product.

Single point of Failure. ModSecurity VM is a single point of failure, meaning that if VM is down, the web applications will be unavailable and unaccessible.

Configuration

First of all, we need to install ModSecurity at our Debian VM which will be acting as a reverse proxy. Then we enable it and then we download the OWASP Core Rule Set which can be found here.

More specifically, we follow these steps:

€ > apt-get install libapache-mod-security
€ > a2enmod mod-security

Now, we need to set up the reverse proxy. We create a file at the location /etc/apache2/sites-available and we enable it by creating a soft link to it a the location /etc/apache2/sites-enabled. Below you can see a sample site. This is only a sample, you can parameterize it and customize it as you wish.

Now, every request to the web applications is examined by ModSecurity and then, proxied to the appropriate IP inside our LAN.

Example

I am going to omit a demo attack to the OWASP BWA VM because I have already examined it on a previous post in my blog. Therefore, the scenario I am going to follow, is to send a simple SQL injection payload to the Hacme Bank web application.

Conclusion

A reverse proxy running ModSecurity can be used to protect server farms that host critical web applications. This architecture is a low cost that could offer significant security protection if ModSecurity is parameterized correctly.

In the past, he has successfully undertaken the role of the IT Security Risk & Compliance Management Department Business Unit Manager of Syntax IT Group (Syntax IT Inc., Syntax Diamond Information Systems LLC), offering high quality information security services and solutions to large organisations in Greece, Cyprus, Balkans, Turkey and Middle East.